The Equation Group, hard drives and the Death Star of malware

Researchers at Kaspersky Lab have uncovered a new cyber-espionage toolset that possesses more than a passing resemblance to similar kits used by US intelligence agencies.

In a report released last Monday, the Moscow-based security firm detailed the attack tools which it says were created by the “Equation Group”.

The hacker group, Kaspersky says, successfully infiltrated thousands of government agencies with what it describes as the “Death Star” of malware.

The long list of victims includes military bodies, government and diplomatic institutions, Islamic leaders and thousands of firms across the aerospace, finance, media, energy, and tech industries.

Analysis of the Equation group’s command and control infrastructure revealed how widely spread it has become, featuring some 300 domains as well as over 100 servers located in the US, UK, Italy, Germany, Panama, Costa Rica, Malaysia, Colombia, the Czech Republic and many others.

Kaspersky described a collection of tools utilised by Equation, naming them as:

EQUATIONDRUG – A very complex attack platform used by the group on its victims. It supports a module plugin system, which can be dynamically uploaded and unloaded by the attackers.

DOUBLEFANTASY – A validator-style Trojan, designed to confirm the target is the intended one. If the target is confirmed, they get upgraded to a more sophisticated platform such as EQUATIONDRUG or GRAYFISH.

EQUESTRE – Same as EQUATIONDRUG.

TRIPLEFANTASY – Full-featured backdoor sometimes used in tandem with GRAYFISH. Looks like an upgrade of DOUBLEFANTASY, and is possibly a more recent validator-style plugin.

GRAYFISH – The most sophisticated attack platform from the EQUATION Group. It resides completely in the registry, relying on a bootkit to gain execution at OS startup.

FANNY – A computer worm created in 2008 and used to gather information about targets in the Middle East and Asia. Some victims appear to have been upgraded first to DoubleFantasy, and then to the EQUATIONDRUG system.
Fanny used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet.

EQUATIONLASER – An early implant from the EQUATION group, used around2001-2004. Compatible with Windows 95/98, and created sometime between DOUBLEFANTASY and EQUATIONDRUG.

Kaspersky researchers also warned that the list of tools was unlikely to be exhaustive, suggesting Equation may still have more surprises to spring.

Worryingly, some of the tools discovered by Kaspersky have similarities with old favourites including the Flame malware and Stuxnet which targeted Iranian nuclear reactors under the direction of US President Barack Obama.

The Equation tools were discovered on “dozens of popular HDD brands” and, according to Costin Raiu, director of Kaspersky Lab’s global research and analysis team, were able to remain both undetected and irremovable – the malware infected the firmware on drives, allowing it to “resurrect” itself, even after a drive was reformatted or the operating system was reinstalled.

Raiu explained:

“Once the hard drive gets infected with this malicious payload, it is impossible to scan its firmware. To put it simply: for most hard drives there are functions to write into the hardware/firmware area, but there are no functions to read it back.

It means that we are practically blind, and cannot detect hard drives that have been infected by this malware.”

Using the Grayfish tool, Equation also creates a hidden and persistent area on a hard drive which is then used to save stolen data which can be collected at a later time by the attackers and used for breaking encryption protocols. Raiu explained how Grayfish runs at boot, making the capture of encrypted passwords a relative breeze.

Network access to machines is not even an essential prerequisite to getting Equation on to a drive – Raiu explained that the Fanny component was of particular interest because it had the ability to bypass airgap defences and could be propagated via a “unique USB-based command and control mechanism,” using USB sticks with a hidden partition that could be used to collect system data from a system when installed and activated.

When the USB stick is later plugged into a system with internet connectivity it will forward the stored data to its command and control servers.

Kaspersky began trailing the Equation group after analysing a computer belonging to a Middle East research institute in 2008. It discovered the Fanny component being used to attack unknown vulnerabilities with two zero-day exploits, both of which were later discovered to be coded into Stuxnet.

Despite such a strong digital likeness to components of Stuxnet, a spokesperson for the NSA would not confirm US involvement in Equation, saying that the agency was aware of the report but was unwillingly to discuss or pass any comment upon it.